Phase 1 of IKE

Similar Questions

• Configuration of VPN - IKE phase 1...

  I have some confusion in the VPN configuration... In my ASA below mentioned IKE phase 1 already configured setting.

  crypto ISAKMP policy 1

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 43200

  crypto ISAKMP policy 9

  preshared authentication

  the Encryption

  md5 hash

  Group 1

  life 86400

  crypto ISAKMP policy 10

  preshared authentication

  the Encryption

  sha hash

  Group 2

  life 86400

  crypto ISAKMP policy 30

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  life 86400

  Crypto isakmp nat-traversal 20

  Last week, I configured a new L2L VPN. For IPSec phase, I have added the below mentioned lines...

  card crypto toremote 20 match address remotevpn2

  card crypto toremote 20 peers set x.x.x.x

  toremote 20 set transformation-strong crypto card

  life safety association set card crypto toremote 20 28800 seconds

  Now my question is the seq n20 crypto map is not matched with any IKE phase 1 seq no (1,9,10,30) that is already configured. But the VPN is up and working fine. How it associate a particular phase of IKE IPsec?

  If you want to configure a new virtual private network with different parameters in the IKE phase 1like 3DES, SHA1, life 86400, what are the configuration that I have to do in phase 1 of IKE?

  Kind regards

  SOM

  isakmp policy number and the number of ipsec policy do not match your ASA or with the other end. They are two distinct phases of negotiation. The ASA will compare your policy at the other end, starting with the smallest number of policies, until a match is found.

  I usually put safer policies first (i.e. with the lowest number of the police).

  To create a new policy, just add it with a new policy number, anywhere where you want in the order.

• Ports used in IKE Phase 1

  Hello world

  He had to confirm IKE Phase 1

  We use port UDP 500

  IKE Phase 2, we use ports

  ESP - 50

  NAT - T UDP 4500

  ESP TCP-1000-50
  NAT - T UDP 4500
  TCP-1000

  Concerning

  Mahesh

  IKE phase 1 (main mode/aggressive mode) is udp src and dst 500

  Phase 2 of IKE could be:

  • Protocol IP 50 (ESP)
  • NAT - T is udp src (customer) ephemeral dst (server) udp 4500
  • In former VPN clients tcp encapsulation was CBC (customer), ephemeral dst (server) tcp 10000 (10,000 in US) and 10,000 in most of the other countries

• Phase 2 question [all IPSec security association proposals considered unacceptable!]

   
  Hello
   
  I have problems to configure an ipsec L2L with my 1921 tunnel and ASA.
  I have to use aggressive mode as the 1921 does not have a fixed IP.
   
  Phase 1 of IKE's fine, but then I get the following message:
   
  5 11:00:14 Group April 1, 2014 713119 = CIT-TEST, IP = YYY. YYY. YYY. YYY, PHASE 1 COMPLETED
  5 11:00:14 Group April 1, 2014 713904 = CIT-TEST, IP = YYY. YYY. YYY. YYY proposals, any IPSec security association has deemed unacceptable!
   
  and the tunnel manages not to come.
   
  So I guess it's one about identifyed networks, so I suspect the transformation defined not to be good.
   
  ASA:
   
  # Crypto card #.
  address the crypto dynamic-map OUTSIDE_cryptomap_65535.130 SYSTEM_DEFAULT_CRYPTO_MAP 130
  Crypto-map dynamic 130 SYSTEM_DEFAULT_CRYPTO_MAP set transform-set ESP-AES-256-SHA ikev1
  86400 seconds, crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 the duration value of security-association
   
   
  # Identification of the traffic.
  Access extensive list ip 10.30.2.0 Outside_cryptomap_65535.130 allow 255.255.255.0 10.30.42.0 255.255.255.0
   
  # Crypto card #.
  address the crypto dynamic-map OUTSIDE_cryptomap_65535.130 SYSTEM_DEFAULT_CRYPTO_MAP 130
  Crypto-map dynamic 130 SYSTEM_DEFAULT_CRYPTO_MAP set transform-set ESP-AES-256-SHA ikev1
  86400 seconds, crypto than dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 the duration value of security-association
   
   
  And on the 1921:
   
   
  door-key crypto LOCAL
  pre-shared key address XXX.XXX.XXX.XXX key mykey
  !
  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 2
  ISAKMP crypto identity hostname
  Profile of crypto isakmp AGGRESSIVE-ASA
  LOCAL Keyring
  identity function address XXX.XXX.XXX.XXX 255.255.255.255
  aggressive mode
  !
  !
  Crypto ipsec transform-set aes - esp hmac-sha256-esp gsm
  tunnel mode
  !
  !
  !
  Crypto map gsm2 isakmp-ASA-AGGRESSIVE profile
  gsm2 20 ipsec-isakmp crypto map
  defined peer XXX.XXX.XXX.XXX
  Set transform-set gsm
  match address 103
  !
   
  access-list 103 allow ip 10.30.42.0 0.0.0.255 10.30.2.0 0.0.0.255
   
   
   
  But tried with different combos on the 1921 but no luck. What Miss me?
  Could anyone help with the transformation on the 1921 set command, it's a little different than on the ASA.
  Can anyone help?
   
  Best regards

  You don't show us the configuration (if one is called) for Phase 2 of ASAs transform-set.

  There should be an installer matching your 1921 something as in this example:

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

• 8.2 ASA failure phase2 ike ipsec

  I used the wizard to access remote vpn, IPSEC on an ASA 5510 security + running os version 8.2.

  Group: adminsbbs

  User: adminuser

  When connecting using the client, it says «fixing communications...» "and then it flashes and it is disconnected. Hoping the following debug output to help you will help me, so I didn't enter the config.

  What seems to be the cause of failure of the phase 2 of IKE?

  Since the ASA device:

  asa01 # 29 dec 18:54:16 [IKEv1 DEBUG]: IP = 3.4.249.124, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false

  29 Dec 18:54: 16 [IKEv1]: IP = 3.4.249.124, connection landed on tunnel_group adminsbbs

  29 Dec 18:54: 16 [IKEv1 DEBUG]: Group = adminsbbs, IP = 3.4.249.124, IKE SA proposal # 1, transform # 10 entry overall IKE acceptable matches # 1

  29 Dec 18:54: 16 [IKEv1]: Group = adminsbbs, IP = 3.4.249.124, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, (adminuser) user authenticated.

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, transaction mode attribute unhandled received: 5

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, Type of Client: Mac OS X Client Application Version: 4.9.01 (0100)

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, assigned private IP 172.16.20.1 remote user address

  29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM completed

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, PHASE 1 COMPLETED

  29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, Keep-alive type for this connection: DPD

  29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, timer to generate a new key to start P1: 82080 seconds.

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, data received in payload ID remote Proxy Host: address 172.16.20.1, protocol 0, Port 0

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, QM IsRekeyed its not found old addr

  29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, remote peer IKE configured crypto card: outside_dyn_map

  29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, ITS processing IPSec payload

  29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP

  29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP

  29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP

  29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, IPSec security association proposals found unacceptable.

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, error QM WSF (P2 struct & 0xcca2f140, mess id 0x374db953).

  29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, case of mistaken IKE responder QM WSF (struct & 0xcca2f140) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2 EV_COMP_HASH

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Removing counterpart of table Correlator has failed, no match!

  29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Session is be demolished. Reason: Phase 2

  29 Dec 18:54: 26 [IKEv1]: ignoring msg SA brand with Iddm 102400 dead because ITS removal

  29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, encrypted packet received with any HIS correspondent, drop

  The client connection:

  Cisco Systems VPN Client Version 4.9.01 (0100)

  Copyright (C) 1998-2006 Cisco Systems, Inc. All rights reserved.

  Type of client: Mac OS X

  Running: Darwin Darwin Kernel Version 10.5.0 10.5.0: Fri Nov 5 23:20:39 PDT 2010. root:XNU-1504.9.17~1/RELEASE_I386 i386

  365 19:09:13.384 29/12/2010 Sev = Info/4 CM / 0 x 43100002

  Start the login process

  366 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011

  Send error - 28 package. ADR DST: 0xAC10D5FF, ADR Src: 0xAC10D501 (DRVIFACE:1158).

  367 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011

  Send error - 28 package. ADR DST: 0xAC107FFF, ADR Src: 0xAC107F01 (DRVIFACE:1158).

  368 19:09:13.385 29/12/2010 Sev = Info/4 CM / 0 x 43100004

  Establish a connection using Ethernet

  369 19:09:13.385 12/29/2010 Sev = Info/4 CM / 0 x 43100024

  Attempt to connect with the server "1.2.0.14".

  370 19:09:13.385 12/29/2010 Sev = Info/4 CVPND / 0 x 43400019

  Separation of privileges: binding to the port: (500).

  371 19:09:13.387 29/12/2010 Sev = Info/4 CVPND / 0 x 43400019

  Separation of privileges: binding to the port: (4500).

  372 19:09:13.387 29/12/2010 Sev = Info/6 IKE/0x4300003B

  Attempts to establish a connection with 1.2.0.14.

  373 19:09:13.471 29/12/2010 Sev = Info/4 IKE / 0 x 43000013

  SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 1.2.0.14

  374 19:09:13.538 29/12/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  375 19:09:13.538 29/12/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">

  376 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001

  Peer is a compatible peer Cisco-Unity

  377 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001

  Peer supports XAUTH

  378 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001

  Peer supports the DPD

  379 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001

  Peer supports NAT - T

  380 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001

  Peer supports fragmentation IKE payloads

  381 19:09:13.622 29/12/2010 Sev = Info/6 IKE / 0 x 43000001

  IOS Vendor ID successful construction

  382 19:09:13.622 29/12/2010 Sev = Info/4 IKE / 0 x 43000013

  SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 1.2.0.14

  383 19:09:13.623 12/29/2010 Sev = Info/6 IKE / 0 x 43000055

  Sent a keepalive on the IPSec Security Association

  384 19:09:13.623 29/12/2010 Sev = Info/4 IKE / 0 x 43000083

  IKE port in use - Local Port = 0 x 1194, Remote Port = 0 x 1194

  385 19:09:13.623 29/12/2010 Sev = Info/5 IKE / 0 x 43000072

  Automatic NAT detection status:

  Remote endpoint is NOT behind a NAT device

  This effect is behind a NAT device

  386 19:09:13.623 29/12/2010 Sev = Info/4 CM/0x4310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 0 IKE SA authenticated user in the system

  387 19:09:13.639 29/12/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  388 19:09:13.639 29/12/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  389 19:09:13.639 12/29/2010 Sev = Info/4 CM / 0 x 43100015

  Launch application xAuth

  390 19:09:13.825 12/29/2010 Sev = Info/4 IPSEC / 0 x 43700008

  IPSec driver started successfully

  391 19:09:13.825 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014

  Remove all keys

  392 19:09:16.465 29/12/2010 Sev = Info/4 CM / 0 x 43100017

  xAuth application returned

  393 19:09:16.465 29/12/2010 Sev = Info/4 IKE / 0 x 43000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

  394 19:09:16.480 29/12/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  395 19:09:16.480 29/12/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  396 19:09:16.481 29/12/2010 Sev = Info/4 IKE / 0 x 43000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

  397 19:09:16.481 29/12/2010 Sev = Info/4 CM/0x4310000E

  ITS established Phase 1.  1 crypto IKE Active SA, 1 IKE SA authenticated user in the system

  398 19:09:16.482 29/12/2010 Sev = Info/4 IKE / 0 x 43000013

  SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14

  399 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  400 19:09:16.498 12/29/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">

  401 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.16.20.1

  402 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0

  403 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 1.2.2.2

  404 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010

  MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 1.2.2.22

  405 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000

  406 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0 x 00000003

  407 19:09:16.498 12/29/2010 Sev = Info/5 IKE/0x4300000F

  SPLIT_NET #1

  subnet 10.10.10.0 =

  mask = 255.255.255.0

  Protocol = 0

  SRC port = 0

  port dest = 0

  408 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F

  SPLIT_NET #2

  subnet = 1.2.31.0

  mask = 255.255.255.0

  Protocol = 0

  SRC port = 0

  port dest = 0

  409 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F

  SPLIT_NET #3

  subnet = 1.2.8.0

  mask = 255.255.255.0

  Protocol = 0

  SRC port = 0

  port dest = 0

  410 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D

  MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000

  411 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000E

  MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5510 Version 8.2 (2) built by manufacturers on Tuesday, January 11, 10 14:19

  412 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000D

  MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194

  413 19:09:16.499 29/12/2010 Sev = Info/4 CM / 0 x 43100019

  Data in mode Config received

  414 19:09:16.500 29/12/2010 Sev = Info/4 IKE / 0 x 43000056

  Received a request from key driver: local IP = 192.168.0.103, GW IP = 1.2.0.14, Remote IP = 0.0.0.0

  415 19:09:16.500 2010-12-29 Sev = Info/4 IKE / 0 x 43000013

  SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to 1.2.0.14

  416 19:09:16.517 29/12/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  417 19:09:16.517 29/12/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">

  418 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000045

  Answering MACHINE-LIFE notify has value of 86400 seconds

  419 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000047

  This SA has been alive for 3 seconds, affecting seconds expired 86397 now

  420 19:09:16.518 12/29/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  421 19:09:16.518 12/29/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

  422 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000013

  SEND to > ISAKMP OAK INFO *(HASH, DEL) to 1.2.0.14

  423 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000049

  IPsec security association negotiation made scrapped, MsgID = FCB95275

  424 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000017

  Marking of IKE SA delete (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED

  425 19:09:16.520 29/12/2010 Sev = Info/5 IKE/0x4300002F

  Received packet of ISAKMP: peer = 1.2.0.14

  426 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000058

  Received an ISAKMP for a SA message no assets, I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148

  427 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000014

  RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">

  428 19:09:17.217 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014

  Remove all keys

  429 19:09:19.719 29/12/2010 Sev = Info/4 IKE/0x4300004B

  IKE negotiation to throw HIS (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED

  430 19:09:19.719 29/12/2010 Sev = Info/4 CM / 0 x 43100012

  ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED".  Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system

  431 19:09:19.719 29/12/2010 Sev = Info/5 CM / 0 x 43100025

  Initializing CVPNDrv

  432 19:09:19.719 29/12/2010 Sev = Info/4 CVPND/0x4340001F

  Separation of privileges: restore MTU on the main interface.

  433 19:09:19.719 29/12/2010 Sev = Info/4 IKE / 0 x 43000001

  Signal received IKE to complete the VPN connection

  434 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014

  Remove all keys

  435 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014

  Remove all keys

  436 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014

  Remove all keys

  437 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC/0x4370000A

  IPSec driver successfully stopped

  Hello 3moloz123,

  Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

  1. the reason why the VPN remote access (RA) couldn't form with success before the passage of TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is the mode of transport is not supported for RA VPN.  You must use Tunnel mode for the processing of IPSec together we must maintain the IP header inside so that, once the package is decapsules and decrypted at the head of IPSec end we can transfer the package.

  In the newspapers, you can see this failure

  29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT - T) Cfg had: UDP Transport

  Repeat x 4

  RRS of transformation all sent by the RA Client.  Cfg would be is that the dynamic encryption card supports.

  2. the isakmp policy change was unnecessary, the Phase 1 session came fine ISAKMP indicating worked.  Phase 2 begins only after a successful Phase 1 (session ISAKMP).

  After failing to build Phase 2 (child SA) we drop the ISAKMP Security Association since it is not used.

  I hope that answers your questions.

  Kind regards
  Craig

• 2 tunnels vpn site-to-site location A to B

  Hello

  Current:

  I have an ASA 5505 (8.2.x) deployed on a client site with a public ip address provided by the customer.

  I have a tunnel from site to site between us (site A) and client (site B).

  ASA (at the client) has been installed with 2 VLAN by default (one for outside, one for the Interior using the 2-7 ports).

  Future:

  The customer wants another tunnel from site to site for a separate project, but they want to use the same ASA but uses another port configured for a schema from a different ip address for this new project. (which means the same ip address public, but different vlan IP).

  My Actions:

  (A) my first reaction was that I could not do that, but since it's customer and I must find a way, if I can reconfigure client (site B) ASA to take a port and configure it to a vlan different (using the system of intellectual property for this project) and set up a second tunnel from site to site using this vlan?

  (B) can even reconfigure a port for a third vlan on this SAA? (customer ASA 5505, 8.2.x, per seat 10 credits).

  What is the best approach to accomplish this task?

  Thank you...

  It's a strange question - technically, you could - I think that the place where you will fall short is that it uses the same peer address at its end.  I don't think that it will eventually operate favorably... never tried.

  I don't really understand the need for "another site to site tunnel" however.  Theoretically, I could be wrong here, there is only need a tunnel of the phase 1 of IKE.  There may be several IKE tunnels phase 2, communicating through the tunnel at the same time, however.

  Why not let the equal relationship as it is, expand your (and his) internal/external cryptos and go from there.  8.4 ASA supports twice nat - which could be a solution if he has questions on its end.

  And to be honest, even the ASA 5505 that I helped set up were all on the remote site, and I'm sure that each of them exists only for the purposes of a single site to my organization.

  Perhaps explain WHY he wants to do what he wants to do it too?

• VPN IPSec S2S problems

  Hello

  I have a headquarters and a remote site and I want to get a VPN site-to site between the two. I have the following Setup on each router. 'Show encryption session' says that the VPN is in the IDLE-UP condition (and my somewhat limited understanding of virtual private networks, this means that the phase 1 of IKE is complete and waiting for phase 2) When you run a "debug crypto ipsec" on the remote site, I get "no ip crypto card is for addresses local 100.x.x.x" and the VPN remains to IDLE-UP. The ACL on the external interface allows the IP of the remote site. I have CBAC running on the external interface of both routers and ACL permits all traffic between the addresses 100.x.x.x and 200.x.x.x. Could someone help me with the config? I have to do something wrong somewhere.

  Thank you!

  Shaun

  Router HQ: Local 10.2.0.0/16 (network)

  crypto ISAKMP policy 1
  BA aes 256
  md5 hash
  preshared authentication
  Group 5
  ISAKMP crypto key address 100.x.x.x
  !
  86400 seconds, duration of life crypto ipsec security association
  !
  Crypto ipsec transform-set aes - esp AES_MD5_COMPRESSION esp-md5-hmac comp-lzs
  !
  card crypto S2S_VPN local-address FastEthernet0/0
  !
  S2S_VPN 10 ipsec-isakmp crypto map
  the value of 100.x.x.x peer
  game of transformation-AES_MD5_COMPRESSION
  PFS Set group5
  match address TRAFFIC_TO_REMOTE_NETWORK
  !
  interface FastEthernet0/0
  IP address 200.x.x.x 255.255.255.252
  IP access-group firewall in
  NAT outside IP
  no ip virtual-reassembly
  card crypto S2S_VPN
  !
  TRAFFIC_TO_REMOTE_NETWORK extended IP access list
  IP enable any 10.1.0.0 0.0.255.255

  Remote router: (LAN 10.1.0.0/16)

  crypto ISAKMP policy 1
  BA aes 256
  md5 hash
  preshared authentication
  Group 5
  ISAKMP crypto key address 200.x.x.x
  !
  86400 seconds, duration of life crypto ipsec security association
  !
  Crypto ipsec transform-set aes - esp AES_MD5_COMPRESSION esp-md5-hmac comp-lzs
  !
  card crypto S2S_VPN local-address FastEthernet0/0
  !
  S2S_VPN 10 ipsec-isakmp crypto map
  the value of 200.x.x.x peer
  game of transformation-AES_MD5_COMPRESSION
  PFS Set group5
  match address TRAFFIC_TO_HQ_NETWORK
  !
  interface FastEthernet0/0
  IP address 100.x.x.x 255.255.255.252
  IP access-group firewall in
  NAT outside IP
  no ip virtual-reassembly
  card crypto S2S_VPN
  !
  TRAFFIC_TO_HQ_NETWORK extended IP access list
  IP 10.1.0.0 allow 0.0.255.255 10.2.0.0 0.0.255.255

  Hi Shaun,

  Some comments...

  The QM_IDLE means that the phase 1 is established. (sh cry isa his)

  You should see with "sh cry ips its" that he has put SAs in place for IPsec encryption/decryption of traffic for the phase 2.

  The ACL for VPN (the crypto ACL) should be one mirror of the other (you have "all" on one side and two statements by the other peer network.

  You do NAT, therefore, there should be a 'workaround NAT rule' VPN traffic (to remove the IPsec NAT traffic).

  This should be it.

  Federico.

• site IPSec VPN help!

  I im doing site vpn to the other for the first time on a 891 to an rv 120 (gui), but it doesn't connect. I think it could be my list of access on the 891. the error I get in the rv120 is

  08/12/02 18:15:35: [rv120w] [IKE] ERROR: Phase 1 negotiation failed because the time for xx.xx.xx.xx [500]. ea65b6c91b9e73de:0000000000000000

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: Configuration found for xx.xx.xx.xx.

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: opening new phase 1 negotiation: xx.xx.xx.xx [500]<=>xx.xx.xx.xx [500]

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: Start Identity Protection mode.

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8

  2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9

  2012-08-02 18:16:11: [rv120w] [IKE] ERROR: ignore the information because the message has no payload hash.

  2012-08-02 18:16:42: [rv120w] [IKE] ERROR: invalid protocol SA type: 0

  2012-08-02 18:16:42: [rv120w] [IKE] ERROR: failure of the Phase 2 negotiation because of the waiting time for the phase 1.

  2012-08-02 18:17: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 71.32.110.24

  2012-08-02 18:17: [rv120w] [IKE] WARNING: schedular is already planned for the creation of the SA for outside: 'xx.xx.xx.xx' 2012-08-02 18:17: [rv120w] [IKE] ERROR: could not attach schedSaCreate in IKE configuraion

  891 config

  =====================================================

  pool dhcp IP test

  Network 10.10.10.0 255.255.255.0

  default router 10.10.10.1

  Server DNS 8.8.8.8 8.8.4.4

  !

  !

  IP cef

  8.8.8.8 IP name-server

  IP-server names 8.8.4.4

  No ipv6 cef

  !

  !

  crypto ISAKMP policy 1

  preshared authentication

  Group 2

  lifetime 28800

  ISAKMP crypto key Testingkey address xx.xx.xx.xxx

  !

  !

  Crypto ipsec transform-set test1 ah-md5-hmac esp-3des

  !

  maptest1 map ipsec-isakmp crypto 2

  defined peer xx.xx.xx.xx

  Set transform-set test1

  match address 100

  !

  !

  interface FastEthernet8

  Qwest connection description

  no ip address

  NAT outside IP

  IP virtual-reassembly

  automatic duplex

  automatic speed

  PPPoE enable global group

  PPPoE-client dial-pool-number 1

  maptest1 card crypto

  !

  !

  interface Vlan1

  Quest description

  IP 10.10.10.1 255.255.255.0

  IP nat inside

  IP virtual-reassembly

  !

  interface Dialer1

  the negotiated IP address

  IP mtu 1492

  NAT outside IP

  IP virtual-reassembly

  encapsulation ppp

  IP tcp adjust-mss 1452

  Dialer pool 1

  Dialer-Group 1

  PPP authentication chap callin pap

  PPP chap hostname xxxxxxxxx

  PPP chap password 0 xxxxxxxx

  !

  IP forward-Protocol ND

  no ip address of the http server

  no ip http secure server

  !

  !

  the IP nat inside source 1 list overload of the Dialer1 interface

  IP route 0.0.0.0 0.0.0.0 Dialer1

  !

  access-list 1 permit 10.10.10.0 0.0.0.255

  category of access list 100 remark maptest1 = 4

  Note access-list 100 IPSec rule

  access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

  Dialer-list 1 ip protocol allow

  Dialer-list 100 ip protocol allow

  =======================================================================

  Hi Manny,

  Thanks for the debug output! I believe that we are making some progress and was able to establish phase 1 of IKE. The problem is now to establish IPsec SA or a phase of IKE 2. Could you do the following again once more, and view the results?

  int f8

  no card crypto maptest1

  int d1

  maptest1 card crypto

  Claire crypto his

  Debug crypto ISAKMP

  Debug crypto ipsec

  ISAKMP crypto to show his

  Crypto ipsec to show his

  Sent by Cisco Support technique iPhone App

• IPsec over UDP - remote VPN access

  Hello world

  The VPN client user PC IPSEC over UDP option is checked under transport.

  When I check the details of the phase 1 of IKE ASDM of user login, it shows only UDP 500 port not port 4500.

  Means that user PC VPN ASA there that no device in question makes NAT.

  What happens if we checked the same option in the client IPSEC VPN - over UDP and now, if we see the port UDP 4500 under IKE phase 1 Connection Details

  This means that there is now ASA a NAT device VPN Client PC, but he allows IKE connection phase 1?

  Concerning

  MAhesh

  Hello Manu,

  I suggest to use the following commands on your ASA have a look at these ports as the test of VPN connections. The command that you use depends on your level of software as minor changes in the format of the command

  View details remote vpn-sessiondb

  view sessiondb-vpn remote detail filter p-ipaddress

  Or

  View details of ra-ikev1-ipsec-vpn-sessiondb

  display the filter retail ra-ikev1-ipsec-vpn-sessiondb p-ipaddress

  These will provide information on the type of VPN Client connection.

  Here are a few out of different situations when connecting with the VPN Client

  Dynamic PAT - no Transparent on the Client VPN tunnel

  • Through the VPN connections do not work as connects via PAT without Transparent tunnel

  Username: Index: 22

  Public IP address 10.0.1.2 assigned IP::

  Protocol: IPsec IKEv1

  IKEv1:

  Tunnel ID: 22.1

  The UDP Src Port: 18451 UDP Dst Port: 500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: AES 256 hash: SHA1

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds

  Group D/H: 2

  Name of the filter:

  Client OS: Windows NT Client OS worm: 5.0.07.0290

  IPsec:

  Tunnel ID: 22.2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 10.0.1.2/255.255.255.255/0/0

  Encryption: AES 256 hash: SHA1

  Encapsulation: Tunnel

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28551 seconds

  Idle Time Out: 30 Minutes idling left: 25 Minutes

  TX Bytes: 0 Rx bytes: 0

  TX pkts: Rx Pkts 0: 0

  Dynamic PAT - Transparent tunnel (NAT/PAT) on the VPN Client

  • Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection

  Username: Index: 28

  Public IP address 10.0.1.2 assigned IP::

  Protocol: IKEv1 IPsecOverNatT

  IKEv1:

  Tunnel ID: 28.1

  The UDP Src Port: 52825 UDP Dst Port: 4500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: AES 256 hash: SHA1

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds

  Group D/H: 2

  Name of the filter:

  Client OS: Windows NT Client OS worm: 5.0.07.0290

  IPsecOverNatT:

  Tunnel ID: 28.2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 10.0.1.2/255.255.255.255/0/0

  Encryption: AES 256 hash: SHA1

  Encapsulation: Tunnel

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28784 seconds

  Idle Time Out: 30 Minutes idling left: 30 Minutes

  TX Bytes: 360 bytes Rx: 360

  TX pkts: 6 Pkts Rx: 6

  Dynamics PAT, Transparent IPsec (TCP) on the Client VPN tunnel

  • Via VPN connections work as we use Tunneling Transparent when we train the dynamic VPN Client through PAT connection

  Username: Index: 24

  Public IP address 10.0.1.2 assigned IP::

  Protocol: IKEv1 IPsecOverTCP

  IKEv1:

  Tunnel ID: 24.1

  The UDP Src Port: 20343 UDP Dst Port: 500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: AES 256 hash: SHA1

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds

  Group D/H: 2

  Name of the filter:

  Client OS: Windows NT Client OS worm: 5.0.07.0290

  IPsecOverTCP:

  Tunnel ID: 24,2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 10.0.1.2/255.255.255.255/0/0

  Encryption: AES 256 hash: SHA1

  Encapsulation: Tunnel TCP Src Port: 20343

  The TCP Dst Port: 10000

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28792 seconds

  Idle Time Out: 30 Minutes idling left: 30 Minutes

  TX Bytes: 180 bytes Rx: 180

  TX pkts: Rx 3 Pkts: 3

  Static NAT - no Transparent on the Client VPN tunnel

  • VPN Client connections to the LAN work because our VPN Client has a static NAT configured for its local IP address. This allows the ESP without encapsulation through the device doing the static NAT. You must allow the ESP traffic through the NAT device of management of the device VPN or configure VPN connections inspection if there is an ASA acting as the NAT device.

  Username: Index: 25

  Public IP address 10.0.1.2 assigned IP::

  Protocol: IPsec IKEv1

  IKEv1:

  Tunnel ID: 25.1

  The UDP Src Port: 50136 UDP Dst Port: 500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: AES 256 hash: SHA1

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds

  Group D/H: 2

  Name of the filter:

  Client OS: Windows NT Client OS worm: 5.0.07.0290

  IPsec:

  Tunnel ID: 25.2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 10.0.1.2/255.255.255.255/0/0

  Encryption: AES 256 hash: SHA1

  Encapsulation: Tunnel

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28791 seconds

  Idle Time Out: 30 Minutes idling left: 30 Minutes

  TX Bytes: 120 bytes Rx: 120

  TX pkts: Rx 2 Pkts: 2

  Static NAT - Transparent tunnel (NAT/PAT) on the VPN Client

  • The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need UDP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)

  Username: Index: 26

  Public IP address 10.0.1.2 assigned IP::

  Protocol: IKEv1 IPsecOverNatT

  IKEv1:

  Tunnel ID: 26.1

  The UDP Src Port: 60159 UDP Dst Port: 4500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: AES 256 hash: SHA1

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds

  Group D/H: 2

  Name of the filter:

  Client OS: Windows NT Client OS worm: 5.0.07.0290

  IPsecOverNatT:

  Tunnel ID: 26.2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 10.0.1.2/255.255.255.255/0/0

  Encryption: AES 256 hash: SHA1

  Encapsulation: Tunnel

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28772 seconds

  Idle Time Out: 30 Minutes idling left: 29 Minutes

  TX Bytes: 1200 bytes Rx: 1200

  TX pkts: Rx 20 Pkts: 20

  Static NAT - Transparent tunnel on the VPN Client (IPsec, TCP)

  • The VPN Client connections are functioning normally. Even if the host Staticly using a NAT VPN Client does not need TCP encapsulation it is always used if your connection of the VPN Client profile is configured to use (tab in the Transport of the client software)

  Username: Index: 27

  Public IP address 10.0.1.2 assigned IP::

  Protocol: IKEv1 IPsecOverTCP

  IKEv1:

  Tunnel ID: 27.1

  The UDP Src Port: 61575 UDP Dst Port: 500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: AES 256 hash: SHA1

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds

  Group D/H: 2

  Name of the filter:

  Client OS: Windows NT Client OS worm: 5.0.07.0290

  IPsecOverTCP:

  Tunnel ID: 27.2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 10.0.1.2/255.255.255.255/0/0

  Encryption: AES 256 hash: SHA1

  Encapsulation: Tunnel TCP Src Port: 61575

  The TCP Dst Port: 10000

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 28790 seconds

  Idle Time Out: 30 Minutes idling left: 30 Minutes

  TX Bytes: 120 bytes Rx: 120

  TX pkts: Rx 2 Pkts: 2

  VPN device with a public IP address directly connected (as a customer VPN) to an ASA

  Username: Index: 491

  Assigned IP: 172.31.1.239 public IP address:

  Protocol: IPsec IKE

  IKE:

  Tunnel ID: 491.1

  The UDP Src Port: 500 UDP Dst Port: 500

  IKE Neg Mode: Aggressive Auth Mode: preSharedKeys

  Encryption: 3DES hash: SHA1

  Generate a new key Int (T): 86400 seconds given to the key Left (T): 71016 seconds

  Group D/H: 2

  Name of the filter:

  IPsec:

  Tunnel ID: 491.2

  Local addr: 0.0.0.0/0.0.0.0/0/0

  Remote addr: 172.31.1.239/255.255.255.255/0/0

  Encryption: AES128 hash: SHA1

  Encapsulation: Tunnel

  Generate a new key Int (T): 28800 seconds given to the key Left (T): 12123 seconds

  Generate a new key Int (D): 4608000 K-bytes given to the key Left (D): 4607460 K-bytes

  Idle Time Out: 0 Minutes idling left: 0 Minutes

  TX Bytes: bytes 3767854 Rx: 7788633

  TX pkts: 56355 Pkts Rx: 102824

  Above are examples for your reference. I must also say that I am absolutely not an expert when it comes to virtual private networks in general. I had to learn two firewall/vpn basically on my own, as during my studies, we had no classes related to them (which was quite strange).

  While I learned how to set up VPN and troubleshoot them I think I missed on the basic theory. I had plans to get the title Associates CCNA/CCNP certifications but at the moment everything is possible. Don't have the time for it.

  I guess that you already go to the VPN security CCNP Exam?

  Hope this helps and I hope that I didn't get anything wrong above

  -Jouni

• Problem of process ISAKMP Tunnel VPN

  I configured two tunnels of the separate two PIX to a Cisco 3000 Concentrator.

  The settings on the two PIX on ISAKMP polocies and transformation-games are the same. However, establishes a single tunnel, and the other fails.

  I think the problem is at the end of 3000, but I am unable to prove it, that I do not have access.

  The PIX with the tunnel telling the following debug output (debug crypto isakmp, debug crypto ipsec). The reason the SA is deleted mentions the 3000 having a bad set transformation in politics?

  DEBUG OUTPUT

  ============

  ISAKMP (0): early changes of Main Mode

  crypto_isakmp_process_block:src:62.25.99.51, dest:195.188.216.195 spt:500 dpt:50

  0

  Exchange OAK_MM

  ISAKMP (0): treatment ITS payload. Message ID = 0

  ISAKMP (0): audit ISAKMP transform 4 against 23 priority policy

  ISAKMP: 3DES-CBC encryption

  ISAKMP: MD5 hash

  ISAKMP: default group 2

  ISAKMP: preshared auth

  ISAKMP: type of life in seconds

  ISAKMP: lifespan (IPV) 0 x 0 0 x 1 0 x 51 0x80

  ISAKMP (0): atts are acceptable. Next payload is 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication

  to return to the State is IKMP_NO_ERROR

  crypto_isakmp_process_block:src:62.25.99.51, dest:195.188.216.195 spt:500 dpt:50

  0

  Exchange OAK_MM

  ISAKMP (0): processing KE payload. Message ID = 0

  ISAKMP (0): processing NONCE payload. Message ID = 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): provider v6 code received xauth

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing another box of IOS!

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): addressing a VPN3000 concentrator

  ISAKMP (0): ID payload

  next payload: 8

  type: 1

  Protocol: 17

  Port: 500

  Length: 8

  ISAKMP (0): the total payload length: 12

  to return to the State is IKMP_NO_ERROR

  crypto_isakmp_process_block:src:62.25.99.51, dest:195.188.216.195 spt:500 dpt:50

  0

  Exchange OAK_MM

  ISAKMP (0): processing ID payload. Message ID = 0

  ISAKMP (0): HASH payload processing. Message ID = 0

  ISAKMP (0): load useful treatment vendor id

  ISAKMP (0): Peer Remote supports dead peer detection

  ISAKMP (0): SA has been authenticated.

  ISAKMP (0): start Quick Mode Exchange, M - ID-1619388538:9f7a1786IPSEC (key

  _engine): got an event from the queue.

  IPSec (spi_response): spi 0x22a0e9d5 graduation (580970965) for SA

  from 62.25.99.51 to 195.188.216.195 for prot 3

  to return to the State is IKMP_NO_ERROR

  ISAKMP (0): send to notify INITIAL_CONTACT

  ISAKMP (0): sending message 24578 NOTIFY 1 protocol

  Peer VPN: ISAKMP: approved new addition: ip:62.25.99.51/500 Total VPN peer: 1

  Peer VPN: ISAKMP: ip:62.25.99.51/500 Ref cnt is incremented to peers: 1 Total VPN EEP

  RS: 1

  crypto_isakmp_process_block:src:62.25.99.51, dest:195.188.216.195 spt:500 dpt:50

  0

  ISAKMP (0): processing DELETE payload. Message ID = 4188403644, spi size = 16

  ISAKMP (0): delete SA: src 195.188.216.195 dst 62.25.99.51

  to return to the State is IKMP_NO_ERR_NO_TRANS

  ISADB: Reaper checking HIS 0xe97afc, id_conn = 0 DELETE IT!

  Peer VPN: ISAKMP: ip:62.25.99.51/500 Ref cnt decremented to peers: 0 Total of VPN EEP

  RS: 1

  Peer VPN: ISAKMP: deleted peer: ip:62.25.99.51/500 VPN peer Total: 0IPSEC (key_en

  (Origin): had an event of the queue...

  IPSec (key_engine_delete_sas): rec would remove the ISAKMP notify

  IPSec (key_engine_delete_sas): remove all SAs shared with 62.25.99.51

  Any help is appreciated!

  Thank you

  Neil

  It seems that phase as 1 (ike) sa is be created without error. I think that the problem lies in the phase 2 (ipsec) his. Can you put the cryptographic cards relevant and ACLs cards referring to the PIX that fails and the pix who succeeds? That may give a clue as to what is the question.

• ASA 5505 like customer VPN simple AM _ACTIVE status

  Hi Experts,

  We have an ASA5505 which is configured to operate as a simple customer VPN. The output of isakmp #show his indicates the State of the tunnels as AM_ACTIVE.

  But we are not able to establish connectivity to one of the Interior knots.

  What does AM_ACTIVE mean? My understanding of all the Clients VPN easy hardware or software, use aggressive Mode and the tunnel is set up and works. Easy VPN server configurations is not under our management, which is most likely a router, and we believe that it is the problem of configuration at the server end.

  In addition, there is virtually nothing to do on one customer another easy VPN that specify authentication and tunnel group information in the client, and it must be connected. All other configurations are pushed from the end of Easy VPN Server, right?

  The output of ipsec #show his , noted the following

  dynamic allocated peer ip: 0.0.0.0 ---> is this to say that this isn't my ASA5505 assigned any IP by the easy VPN server?

  #pkts program: 3, #pkts encrypt: 3, #pkts digest: 3

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0 ---> no decryption, which probably means that there is no response from the remote end, right?

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 3, comp #pkts failed: 0, #pkts Dang failed: 0

  success #frag before: 0, failures before #frag: 0, #fragments created: 0

  Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0

  #send errors: 0, #recv errors: 0

  #show vpnclient detail out I saw a lot of ISAKMP policy being created.

  -------------------------------------------

  crypto ISAKMP policy 65001

  xauth-pre-sharing authentication

  aes-256 encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65002

  xauth-pre-sharing authentication

  aes-256 encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65003

  xauth-pre-sharing authentication

  aes-192 encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65004

  xauth-pre-sharing authentication

  aes-192 encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65005

  xauth-pre-sharing authentication

  aes encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65006

  xauth-pre-sharing authentication

  aes encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65007

  xauth-pre-sharing authentication

  3des encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65008

  xauth-pre-sharing authentication

  3des encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65009

  xauth-pre-sharing authentication

  the Encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65010

  preshared authentication

  aes-256 encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65011

  preshared authentication

  aes-256 encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65012

  preshared authentication

  aes-192 encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65013

  preshared authentication

  aes-192 encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65014

  preshared authentication

  aes encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65015

  preshared authentication

  aes encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65016

  preshared authentication

  3des encryption

  sha hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65017

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 2147483647

  crypto ISAKMP policy 65018

  preshared authentication

  the Encryption

  md5 hash

  Group 2

  life 2147483647

  --------------------

  This may possibly be due to a bad end of server configuration and the cause of not being able to establish connectivity to the end server nodes?

  Help, please! Sorry for the mess, but we want to just make sure that it isn't something wrong with the configuration on our side!

  Kind regards

  ANUP sisi

  There are 2 phases of IPSec: IKE (Phase 1), status of the AM_Active Phase 1 means is running, and IPSec (Phase 2), and if you have both figure and decrypts increment which means the tunnel past the traffic.

  Based on the output, the VPN tunnel is up and sends traffic to the network/VPN server, however, there is no response in return.

  You should check the end of the VPN server to see if there is no configuration issues. Discover the NAT exemption and ensure that you have configured on the network head. How do you set as? PAT/Client mode or NEM?

• VPN NetScreen-VPN3000 certificate-based interoperability

  Dear all,

  Does anyone success to set up the basis of VPN with NetScreen VPN3000 certificate? We got the IKE protocol (phase 1) put in place, but no session Phase2. Looks like there is a problem with the cert (we use Entrust to generate the cerficates). Would be very appreciated for any help

  Best regards

  Hello

  Verification/validation of certificate is a part of the phase 1 of IKE. If you are passing through phase 1, then cert should not be a problem

  You must enable IKE, IPSEC, IKEDBG

  Jean Marc

• VPN site to Site stuck in IKE Phase 1 - MM_WAIT_MSG2

  We do a vpn site-to site. The tunnel has worked before, but after some discussions about the location of ASA_Receiving (no change in config for asa made, this asa is directly connected to the internet) will not return the tunnel upward. The devices can ping each other without problem.

  It is a vpn L2L, I wonder if the guy saying user is related to the issue?

  ASA_Initiator

  IKE Peer: 71.13.xxx.xxx
  Type: user role: initiator
  Generate a new key: no State: MM_WAIT_MSG2

  ASA_Receiving

  # show crypto isakmp his

  There is no isakmp sas

  Hey,.

  is the remote end ASA as well?

  If so, the capture below on the ASA:

  capture capout match udp host host interface

  The tunnel gets stuck on MM_WAIT_MSG2 for 2 reasons:

  1 either a problem with the policies of the phase 1 of the remote end or

  2 UDP 500 is not reaching the remote end or the remote end sends the packet UDP 500 back and can't the ASA local.

  Concerning

• IKE Phase 2 SA expires immediately - site 2 site ipsec over gre

  Hello

  I'm migrating a config site to IPsec for a new 'face', a ASR1001 router VPN (ipsec-tools + racoon) Linux machine.

  As the Debian Linux does not VTI, I use a card encryption.

  The config of work is given below, with corresponding newspapers, with Linux.

  When I try to apply what worked before config for the ASR1001, I get the following error:

  000855: * 18:28:21.859 Dec 12 UTC: % ACE-3-TRANSERR: IOSXE-ESP (14): IKEA trans 0 x 1350; opcode 0 x 60; Param 0x2EE; error 0 x 5; Retry cnt 0

  Suspicion about the error code 0 x 5?

  The newspapers aside Linux show sync issues...

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: new phase 1 opening of negotiation: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: mode of Identity Protection.

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: CISCO-UNITY

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: DPD

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

  12 Dec 18:50:19 FAKE-AUCH-GW racoon: INFO: ISAKMP - ITS established 194.214.196.2 [500] - 130.120.124.8 [500] spi: 5f8e6339fb954d45:e513d25e42e19d11

  12 Dec 18:50:20 FALSE-AUCH-GW racoon: INFO: new phase 2 negotiation opening: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:50:39 FAKE-AUCH-GW racoon: INFO: answer for negotiation of the new phase 2: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: ESP/Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 30866420 (0x1d6fbf4)

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: WARNING: EXPIRES PF_KEY message received from core for SA under negotiation. Judgment of the negotiations.

  12 Dec 18:50:50 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: AH / Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 258959 (0x3f38f)

  12 Dec 18:50:59 FAKE-AUCH-GW racoon: INFO: new phase 2 negotiation opening: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:51 FAKE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: ESP/Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 95427747 (0x5b01ca3)

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: WARNING: EXPIRES PF_KEY message received from core for SA under negotiation. Judgment of the negotiations.

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: IPsec - SA has expired: AH / Transport 130.120.124.8 [500]-> 194.214.196.2 [500] spi = 159198575 (0x97d2d6f)

  12 Dec 18:51:09 FAKE-AUCH-GW racoon: INFO: answer for negotiation of the new phase 2: 194.214.196.2 [500]<=>130.120.124.8 [500]

  12 Dec 18:51:10 FALSE-AUCH-GW racoon: NOTIFY: the packet is retransmitted by 130.120.124.8 [500] (1).

  !###########################################

  ! Config of IOS running

  !

  crypto ISAKMP policy 10

  BA aes 256

  md5 hash

  preshared authentication

  Group 2

  ISAKMP crypto key MY-0WN-T3RR1F1C-PR35H4R3D-K3Y address 192.0.2.66 No.-xauth

  !

  !

  Crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp - aes 256 esp-md5-hmac

  transport mode

  !

  card crypto ipsec-isakmp MY-0WN-map 1

  defined peer 192.0.2.66

  game of transformation-MY-0WN-TS-MD5

  PFS group2 Set

  match address 120

  !

  interface Tunnel0

  bandwidth 45000

  IP 198.51.100.1 255.255.255.252

  no ip redirection

  no ip proxy-arp

  IP 1400 MTU

  IP virtual-reassembly in

  IP tcp adjust-mss 1360

  source of tunnel GigabitEthernet0/0

  tunnel destination 192.0.2.66

  tunnel path-mtu-discovery

  bandwidth tunnel pass 45000

  bandwidth tunnel receive 45000

  !

  interface GigabitEthernet0/0

  IP 192.0.2.34 255.255.255.224

  no ip redirection

  no ip proxy-arp

  IP virtual-reassembly in

  full duplex

  Speed 1000

  GBIC media type

  auto negotiation

  Crypto map MY-0WN-map

  ###########################################

  Newspapers aside Linux

  Dec 12 08:18:30 racoon GLA: INFO: ISAKMP Security Association expired 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49ea8ffe38:e568a2dd27cbec5d

  Dec 12 08:18:30 racoon GLA: INFO: ISAKMP Security Association deleted 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49ea8ffe38:e568a2dd27cbec5d

  Dec 12 08:18:31 racoon GLA: INFO: respond new phase 1 negotiation: 192.0.2.66 [500]<=>192.0.2.34 [500]

  Dec 12 08:18:31 racoon GLA: INFO: mode of Identity Protection.

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: RFC 3947

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: DPD

  Dec 12 08:18:31 racoon GLA: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

  Dec 12 08:18:31 racoon GLA: [192.0.2.34] INFO: received INITIAL-CONTACT

  Dec 12 08:18:31 racoon GLA: INFO: ISAKMP - HIS established 192.0.2.66 [500] - 192.0.2.34 [500] spi: 88ed3c49e027808c:b17ba35c5b7f1e82

  Dec 12 08:18:31 racoon GLA: INFO: answer for negotiation of the new phase 2: 192.0.2.66 [500]<=>192.0.2.34 [500]

  [[Dec 12 08:18:31 racoon GLA: INFO: update generated politics: 192.0.2.34/32[0] 192.0.2.66/32[0] proto = all dir = in

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: AH / Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 88493238 (0x5464cb6)

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: ESP/Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 21367141(0x1460965)

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: AH / Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 1579505880 (0x5e2558d8)

  Dec 12 08:18:31 racoon GLA: INFO: IPsec - HIS established: ESP/Transport 192.0.2.66 [500]-> 192.0.2.34 [500] spi = 838280164 (0x31f723e4)

  Could adjust your game of transformation?

  Right now you have: crypto ipsec transform-set MY-0WN-TS-MD5 ah-md5-hmac esp - aes 256 esp-md5-hmac

  Could you change strictly cela ESP or AH on both sides rather than mix them.

  There is a known issue with the ASR and the mixture AH / ESP in ipsec configuration. I'll post below:

  CSCtb60545 / CSCsv96390

  Mixing protocols AH and ESP in transformation defined on ASR may not work. This is an enhancement request who will introduce support for this.

  Symptoms:

  Router can display as a result of messages to the console:
  % 3-ACE-TRANSERR: ASR1000-ESP (14): IKEA trans 0x27E; opcode 0 x 60; Param 0x2A.
  error 0 x 5; Retry cnt 0
  Conditions:
  This symptom is observed on a Cisco ASR1000 series router when works as an IPSec
  final point, and when nested transformation is applied, such as:
  Crypto ipsec transform-set transform-1 ah-sha-hmac esp-3des esp-md5-hmac
  Crypto ipsec transform-set transform-1 ah-md5-hmac esp-3des esp-md5-hmac
  Workaround solution:
  Remove the unsupported configuration.

• Pre shared keys used in IKE Phase 1

  Hello world

  Need to confirm if we use the buttons pre shared during IKE Phase 1 main mode and aggressive mode

  Concerning

  MAhesh

  The pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same preshared key is configured on each IPSec peer. IKE peers authenticate each other computer and sending a hash key data that includes the pre-shared key.